SSL · © Ravi Sandhu 2 CONTEXT Mid to late 90’s SSL 1.0 never released SSL 2.0 flawed SSL 3.0 complete redesign TLS from Netscape to IETF Competitors SET backed by credit ...

SSL

Prof. Ravi Sandhu

2© Ravi Sandhu

CONTEXT

� Mid to late 90’s

� SSL 1.0 never released

� SSL 2.0 flawed

� SSL 3.0 complete redesign

� TLS from Netscape to IETF

� Competitors

� SET backed by credit card companies

� S-HTTP (as opposed to https)

� IPSEC backed by IETF committees

� SSH for secure remote access to Unix hosts

3© Ravi Sandhu

CRYPTOGRAPHIC SERVICES

� Confidentiality

� Encryption leaks profusely via side channels

� Authentication + Integrity

� No point having one without the other

� Non-repudiation

� Requires asymmetric cryptography

4© Ravi Sandhu

SYMMETRIC KEY

ENCRYPTION

EncryptionAlgorithm E

DecryptionAlgorithm D

Plain-text

Plain-text

Ciphertext

INSECURE CHANNEL

K KSymmetric Keyshared byA and B

CONFIDENTIAL AND AUTHENTICATED CHANNEL

AA BB

5© Ravi Sandhu

SYMMETRIC KEY

AUTHENTICATION

MACAlgorithm M

VerificationAlgorithm V

Plain-text

Yes/NoPlaintext + MAC

INSECURE CHANNEL

K

AA BB

K

MAC: Message Authentication Code

CONFIDENTIAL AND AUTHENTICATED CHANNEL

6© Ravi Sandhu

ASYMMETRIC KEY

ENCRYPTION

EncryptionAlgorithm E

DecryptionAlgorithm D

Plain-text

Plain-text

Ciphertext

INSECURE CHANNEL

B's Public Key B's Private Key

AUTHENTICATED CHANNEL

AA BB

7© Ravi Sandhu

ASYMMETRIC KEY DIGITAL

SIGNATURES

SignatureAlgorithm S

VerificationAlgorithm V

Plain-text

Yes/NoPlaintext + Signature

INSECURE CHANNEL

A's Private Key A's Public Key

AUTHENTICATED CHANNEL

AA BB

8© Ravi Sandhu

SPEED OF ASYMMETRIC KEY

VERSUS SYMMETRIC KEY

� Asymmetric key runs 2-3 orders of magnitude slower than symmetric key

� This large difference in speed is likely to remain independent of technology advances

9© Ravi Sandhu

MESSAGE DIGEST

message digest algorithm

original messageno practical limit to size

message digest160 biteasy hard

sign the message digest

not the message

10© Ravi Sandhu

CHALLENGE RESPONSE

AUTHENTICATION

HOSTWORK

STATION

NETWORK

User ID

Challenge

Response

11© Ravi Sandhu

PUBLIC-KEY CERTIFICATES

� authenticated distribution of public-

keys

� public-key encryption

� sender needs public key of receiver

� public-key digital signatures

� receiver needs public key of sender

� public-key key agreement

� either one or both need the other’s public key

12© Ravi Sandhu

X.509v1 CERTIFICATE

authenticated distribution of public-keys

VERSION

SERIAL NUMBER

SIGNATURE ALGORITHM

ISSUER

VALIDITY

SUBJECT

SUBJECT PUBLIC KEY INFO

SIGNATURE

13© Ravi Sandhu

X.509v1 CERTIFICATE

1

1234567891011121314

RSA+MD5, 512

C=US, S=VA, O=GMU, OU=ISE

9/9/99-1/1/1

C=US, S=VA, O=GMU, OU=ISE, CN=Ravi Sandhu

RSA, 1024, xxxxxxxxxxxxxxxxxxxxxxxxx

SIGNATURE

14© Ravi Sandhu

CRL FORMAT

SIGNATURE ALGORITHM

ISSUER

LAST UPDATE

NEXT UPDATE

REVOKED CERTIFICATES

SIGNATURE

SERIAL NUMBER

REVOCATION DATE

15© Ravi Sandhu

X.509 CERTIFICATES

� X.509v1� very basic

� X.509v2� adds unique identifiers to prevent

against reuse of X.500 names

� X.509v3� adds many extensions

� can be further extended

16© Ravi Sandhu

CERTIFICATE TRUST

� how to acquire public key of the

issuer to verify signature

� whether or not to trust certificates

signed by the issuer for this subject

17© Ravi Sandhu

SINGLE ROOT CA MODEL

Root

CA

a b c d e f g h i j k l m n o p

Root

CAUser

18© Ravi Sandhu

SINGLE ROOT CA

MULTIPLE RA’s MODEL

Root

CA

a b c d e f g h i j k l m n o p

Root

CA

User RA

User RA

User RA

19© Ravi Sandhu

MULTIPLE ROOT CA’s

MODEL

Root

CA

a b c d e f g h i j k l m n o p

Root

CAUser

Root

CA

Root

CA

Root

CAUser

Root

CAUser

20© Ravi Sandhu

MULTIPLE ROOT CA’s PLUS

INTERMEDIATE CA’s MODEL

X

Q

A

R

S T

C E G I K M O

a b c d e f g h i j k l m n o p

ESTABLISHED BROWSER MODEL

21© Ravi Sandhu

SECURE ELECTRONIC TRANSACTIONS

(SET) CA HIERARCHY

Root

Brand BrandBrand

Geo-Political

Bank Acquirer

Customer Merchant

22© Ravi Sandhu

THE CERTIFICATE

TRIANGLE

user

attribute public-key

X.509

identity

certificate

X.509

attribute

certificate

SPKI

certificate

23© Ravi Sandhu

SSL SERVICES

� peer entity authentication

� data confidentiality

� data authentication and integrity

� compression/decompression

� generation/distribution of session keys

� integrated into protocol

� security parameter negotiation

24© Ravi Sandhu

SSL ARCHITECTURE

SSL Record Protocol

TCP

IP

SSLHandshake

Protocol

SSL ChangeCipher Spec

Protocol

SSLAlert

ProtocolHTTP

OtherApplicationProtocols

25© Ravi Sandhu

APPLICATION PORTS

� https 443

� ssmtp 465

� snntp 563

� sldap 636

� spop3 995

� ftp-data 889

� ftps 990

� imaps 991

� telnets 992

� ircs 993

26© Ravi Sandhu

SSL ARCHITECTURE

� Handshake protocol: complicated� embodies key exchange & authentication

� 10 message types

� Record protocol: straightforward� fragment, compress, MAC, encrypt

� Change Cipher Spec protocol: straightforward� single 1 byte message with value 1

� could be considered part of handshake protocol

� Alert protocol: straightforward� 2 byte messages

• 1 byte alert level- fatal or warning; 1 byte alert code

27© Ravi Sandhu

SSL SESSION

� SSL session negotiated by handshake protocol

� session ID• chosen by server

� X.509 public-key certificate of peer• possibly null

� compression algorithm

� cipher spec• encryption algorithm

• message digest algorithm

� master secret

• 48 byte shared secret

� is resumable flag• can be used to initiate new connections

• each session is created with one connection, but additional connections within the session can be further created

28© Ravi Sandhu

SSL CONNECTION STATE

� connection end: client or server

� client and server random: 32 bytes each

� keys generated from master secret, client/server random

� client_write_MAC_secret server_write_MAC_secret

� client_write_key server_write_key

� client_write_IV server_write_IV

� compression state

� cipher state: initially IV, subsequently next feedback block

� sequence number: starts at 0, max 264-1

29© Ravi Sandhu

SSL CONNECTION STATE

� 4 parts to state

� current read state

� current write state

� pending read state

� pending write state

� handshake protocol

� initially current state is empty

� either pending state can be made current and reinitialized to empty

30© Ravi Sandhu

SSL RECORD PROTOCOL

� 4 steps by sender (reversed by receiver)

� Fragmentation

� Compression

� MAC

� Encryption

31© Ravi Sandhu

SSL RECORD PROTOCOL

� each SSL record contains

� content type: 8 bits, only 4 defined

• change_cipher_spec

• alert

• handshake

• application_data

� protocol version number: 8 bits major, 8 bits minor

� length: max 16K bytes (actually 214+2048)

� data payload: optionally compressed and encrypted

� message authentication code (MAC)

32© Ravi Sandhu

SSL HANDSHAKE

PROTOCOL

� initially SSL session has null

compression and cipher algorithms

� both are set by the handshake

protocol at beginning of session

� handshake protocol may be repeated

during the session

33© Ravi Sandhu

SSL HANDSHAKE

PROTOCOL

� Type: 1 byte

� 10 message types defined

� length: 3 bytes

� content

34© Ravi Sandhu

SSL HANDSHAKE

PROTOCOL

Client Server

ClientHello -------->

ServerHello

Certificate*

ServerKeyExchange*

CertificateRequest*

<-------- ServerHelloDone

Certificate*

ClientKeyExchange

CertificateVerify*

[ChangeCipherSpec]

Finished -------->

[ChangeCipherSpec]

<-------- Finished

Application Data <-------> Application Data

Fig. 1 - Message flow for a full handshake

* Indicates optional or situation-dependent messages that are not

always sent.

Phase 1

Phase 2

Phase 3

Phase 4

Record

Protocol

35© Ravi Sandhu

SSL HANDSHAKE

PROTOCOL

� Phase 1:� Establish security capabilities

� Phase 2:� Server authentication and key exchange

� Phase 3:� Client authentication and key exchange

� Phase 4:� Finish

36© Ravi Sandhu

SSL 1-WAY HANDSHAKE

WITH RSA

Client Server

ClientHello -------->

ServerHello

Certificate*

ServerKeyExchange*

CertificateRequest*

<-------- ServerHelloDone

Certificate*

ClientKeyExchange

CertificateVerify*

[ChangeCipherSpec]

Finished -------->

[ChangeCipherSpec]

<-------- Finished

Application Data <-------> Application Data

Fig. 1 - Message flow for a full handshake

* Indicates optional or situation-dependent messages that are not

always sent.

Phase 1

Phase 2

Phase 3

Phase 4

Record

Protocol

37© Ravi Sandhu

SSL 2-WAY HANDSHAKE

WITH RSA

Client Server

ClientHello -------->

ServerHello

Certificate*

ServerKeyExchange*

CertificateRequest*

<-------- ServerHelloDone

Certificate*

ClientKeyExchange

CertificateVerify*

[ChangeCipherSpec]

Finished -------->

[ChangeCipherSpec]

<-------- Finished

Application Data <-------> Application Data

Fig. 1 - Message flow for a full handshake

* Indicates optional or situation-dependent messages that are not

always sent.

Phase 1

Phase 2

Phase 3

Phase 4

Record

Protocol

38© Ravi Sandhu

SSL HANDSHAKE

PROTOCOL

� these 9 handshake messages must occur in order shown

� optional messages can be eliminated

� 10th message explained later� hello_request message

� change_cipher_spec is a separate 1 message protocol� functionally it is just like a message in the

handshake protocol

39© Ravi Sandhu

SSL HANDSHAKE

PROTOCOL

Client Server

ClientHello -------->

ServerHello

[ChangeCipherSpec]

<-------- Finished

[ChangeCipherSpec]

Finished -------->

Application Data <-------> Application Data

Fig. 2 - Message flow for an abbreviated handshake

40© Ravi Sandhu

SSL HANDSHAKE

PROTOCOL

� hello_request (not shown) can be sent anytime from server to client to request client to start handshake protocol to renegotiate session when convenient

� can be ignored by client

� if already negotiating a session

� don’t want to renegotiate a session

• client may respond with a no_renegotiation alert

41© Ravi Sandhu

SSL HANDSHAKE

PROTOCOL

Client Server

ClientHello -------->

ServerHello

Certificate*

ServerKeyExchange*

CertificateRequest*

<-------- ServerHelloDone

Certificate*

ClientKeyExchange

CertificateVerify*

[ChangeCipherSpec]

Finished -------->

[ChangeCipherSpec]

<-------- Finished

Application Data <-------> Application Data

Fig. 1 - Message flow for a full handshake

* Indicates optional or situation-dependent messages that are not

always sent.

Phase 1

Phase 2

Phase 3

Phase 4

Record

Protocol

42© Ravi Sandhu

SSL HANDSHAKE: PHASE 1ESTABLISH SECURITY CAPABILITIES

� client hello

� 4 byte timestamp, 28 byte random value

� session ID:

• non-zero for new connection on existing session

• zero for new connection on new session

� client version: highest version

� cipher_suite list: ordered list

� compression list: ordered list

43© Ravi Sandhu

SSL HANDSHAKE: PHASE 1ESTABLISH SECURITY CAPABILITIES

� server hello

� 32 byte random value

� session ID:

• new or reuse

� version

• lower of client suggested and highest supported

� cipher_suite list: single choice

� compression list: single choice

44© Ravi Sandhu

SSL HANDSHAKE: PHASE 1ESTABLISH SECURITY CAPABILITIES

� cipher suite� key exchange method

• RSA: requires receiver’s public-key certificates

• Fixed DH: requires both sides to have public-key certificates

• Ephemeral DH: signed ephemeral keys are exchanged, need signature keys and public-key certificates on both sides

• Anonymous DH: no authentication of DH keys, susceptible to man-in-the-middle attack

• Fortezza: Fortezza key exchange

we will ignore Fortezza from here on

45© Ravi Sandhu

SSL HANDSHAKE: PHASE 1ESTABLISH SECURITY CAPABILITIES

� cipher suite

� cipher spec

• CipherAlgorithm: RC4, RC2, DES, 3DES, DES40,

IDEA, Fortezza

• MACAlgorithm: MD5 or SHA-1

• CipherType: stream or block

• IsExportable: true or false

• HashSize: 0, 16 or 20 bytes

• Key Material: used to generate write keys

• IV Size: size of IV for CBC

46© Ravi Sandhu

SSL HANDSHAKE

PROTOCOL

Client Server

ClientHello -------->

ServerHello

Certificate*

ServerKeyExchange*

CertificateRequest*

<-------- ServerHelloDone

Certificate*

ClientKeyExchange

CertificateVerify*

[ChangeCipherSpec]

Finished -------->

[ChangeCipherSpec]

<-------- Finished

Application Data <-------> Application Data

Fig. 1 - Message flow for a full handshake

* Indicates optional or situation-dependent messages that are not

always sent.

Phase 1

Phase 2

Phase 3

Phase 4

Record

Protocol

47© Ravi Sandhu

SSL HANDSHAKE: PHASE 2SERVER AUTHENTICATION & KEY EXCHANGE

� Certificate message

� server’s X.509v3 certificate followed by optional chain of

certificates

� required for RSA, Fixed DH, Ephemeral DH but not for

Anonymous DH

� Server Key Exchange message

� not needed for RSA, Fixed DH

� needed for Anonymous DH, Ephemeral DH

� needed for RSA where server has signature-only key

• server sends temporary RSA public encryption key to client

48© Ravi Sandhu

SSL HANDSHAKE: PHASE 2SERVER AUTHENTICATION & KEY EXCHANGE

� Server Key Exchange message� signed by the server

� signature is on hash of

• ClientHello.random, ServerHello.random

• Server Key Exchange parameters

� Certificate Request message� request a certificate from client

� specifies Certificate Type and Certificate Authorities

• certificate type specifies public-key algorithm and use

� Server Done message� ends phase 2, always required

49© Ravi Sandhu

SSL HANDSHAKE

PROTOCOL

Client Server

ClientHello -------->

ServerHello

Certificate*

ServerKeyExchange*

CertificateRequest*

<-------- ServerHelloDone

Certificate*

ClientKeyExchange

CertificateVerify*

[ChangeCipherSpec]

Finished -------->

[ChangeCipherSpec]

<-------- Finished

Application Data <-------> Application Data

Fig. 1 - Message flow for a full handshake

* Indicates optional or situation-dependent messages that are not

always sent.

Phase 1

Phase 2

Phase 3

Phase 4

Record

Protocol

50© Ravi Sandhu

SSL HANDSHAKE: PHASE 3CLIENT AUTHENTICATION & KEY EXCHANGE

� Certificate message

� send if server has requested certificate and client has appropriate certificate

• otherwise send no_certificate alert

� Client Key Exchange message

� content depends on type of key exchange (see next slide)

� Certificate Verify message

� can be optionally sent following a client certificate with signing capability

� signs hash of master secret (established by key exchange) and all handshake messages so far

� provides evidence of possessing private key corresponding to certificate

51© Ravi Sandhu

SSL HANDSHAKE: PHASE 3CLIENT AUTHENTICATION & KEY EXCHANGE

� Client Key Exchange message

� RSA

• client generates 48-byte pre-master secret, encrypts

with server’s RSA public key (from server certificate

or temporary key from Server Key Exchange

message)

� Ephemeral or Anonymous DH

• client’s public DH value

� Fixed DH

• null, public key previously sent in Certificate Message

52© Ravi Sandhu

SSL HANDSHAKE: POST PHASE 3CRYPTOGRAPHIC COMPUTATION

� 48 byte pre master secret

� RSA

• generated by client

• sent encrypted to server

� DH

• both sides compute the same value

• each side uses its own private value and the other sides public value

53© Ravi Sandhu

SSL HANDSHAKE: POST PHASE 3CRYPTOGRAPHIC COMPUTATION

master_secret = PRF(pre_master_secret, "master secret",

ClientHello.random + ServerHello.random)

[0..47];

pre_master_secret: 48 bytes

PRF is composed of a sequence and nesting of HMACs

54© Ravi Sandhu

SSL HANDSHAKE

PROTOCOL

Client Server

ClientHello -------->

ServerHello

Certificate*

ServerKeyExchange*

CertificateRequest*

<-------- ServerHelloDone

Certificate*

ClientKeyExchange

CertificateVerify*

[ChangeCipherSpec]

Finished -------->

[ChangeCipherSpec]

<-------- Finished

Application Data <-------> Application Data

Fig. 1 - Message flow for a full handshake

* Indicates optional or situation-dependent messages that are not

always sent.

Phase 1

Phase 2

Phase 3

Phase 4

Record

Protocol

55© Ravi Sandhu

SSL HANDSHAKE: PHASE 4FINISH

� Change Cipher Spec message

� not considered part of handshake protocol but in some sense is part of it

� Finished message

� sent under new algorithms and keys

� content is hash of all previous messages and master secret

56© Ravi Sandhu

SSL HANDSHAKE: PHASE 4FINISH

� Change Cipher Spec message

� 1 byte message protected by current state

� copies pending state to current state

• sender copies write pending state to write current

state

• receiver copies read pending state to read current

state

� immediately send finished message under new current state

57© Ravi Sandhu

SSL HANDSHAKE: PHASE 4FINISH

verify_data

PRF(master_secret, finished_label, MD5(handshake_messages)+

SHA-1(handshake_messages)) [0..11];

finished_label

For Finished messages sent by the client, the string "client

finished". For Finished messages sent by the server, the

string "server finished".

handshake_messages

All of the data from all handshake messages up to but not

including this message. This is only data visible at the

handshake layer and does not include record layer headers.

Finished message

58© Ravi Sandhu

SSL ALERT PROTOCOL

� 2 byte alert messages

� 1 byte level

• fatal or warning

� 1 byte

• alert code

59© Ravi Sandhu

SSL ALERT MESSAGESWarning or fatal

close_notify(0),

unexpected_message(10),

bad_record_mac(20),

decryption_failed(21),

record_overflow(22),

decompression_failure(30),

handshake_failure(40),

bad_certificate(42),

unsupported_certificate(43),

certificate_revoked(44),

certificate_expired(45),

certificate_unknown(46),

illegal_parameter(47),

unknown_ca(48),

access_denied(49),

decode_error(50),

decrypt_error(51),

export_restriction(60),

protocol_version(70),

insufficient_security(71),

internal_error(80),

user_canceled(90),

no_renegotiation(100),

60© Ravi Sandhu

SSL ALERT MESSAGES

� always fatal

� unexpected_message

� bad_record_mac

� decompression_failure

� handshake_failure

� illegal_parameter

61© Ravi Sandhu

SERVER-SIDE SSL (OR 1-WAY)

HANDSHAKE WITH RSA

Client Server

ClientHello -------->

ServerHello

Certificate

<-------- ServerHelloDone

ClientKeyExchange

[ChangeCipherSpec]

Finished -------->

[ChangeCipherSpec]

<-------- Finished

Application Data <-------> Application Data

Record

Protocol

Handshake

Protocol

62© Ravi Sandhu

SERVER-SIDE

MASQUARADING

Bob

Web browser

www.host.com

Web serverServer-side SSL

Ultratrust

Security

Services

www.host.com

63© Ravi Sandhu

SERVER-SIDE

MASQUARADING

Bob

Web browser

www.host.com

Web server

Server-side SSL Ultratrust

Security

Services

www.host.comMallory’s

Web server

BIMM

Corporation

www.host.com

Server-side SSL

64© Ravi Sandhu

SERVER-SIDE

MASQUARADING

Bob

Web browser

www.host.com

Web server

Server-side SSL Ultratrust

Security

Services

www.host.comMallory’s

Web server

Server-side SSL

BIMM

Corporation

Ultratrust

Security

Services

www.host.com

65© Ravi Sandhu

CLIENT-SIDE SSL (OR 2-WAY)

HANDSHAKE WITH RSA

Client Server

ClientHello -------->

ServerHello

Certificate

CertificateRequest

<-------- ServerHelloDone

Certificate

ClientKeyExchange

CertificateVerify

[ChangeCipherSpec]

Finished -------->

[ChangeCipherSpec]

<-------- Finished

Application Data <-------> Application Data

Record

Protocol

Handshake

Protocol

66© Ravi Sandhu

MAN IN THE MIDDLE

MASQUARADING PREVENTED

Bob

Web browser

www.host.com

Web server

Client-side SSL

Ultratrust

Security

Services

www.host.com

Mallory’s

Web server

BIMM

Corporation

Client-side SSL

Ultratrust

Security

Services

www.host.com

Client Side SSL

end-to-endUltratrust

Security

Services

Bob

BIMM

Corporation

Ultratrust

Security

Services

Bob

67© Ravi Sandhu

SSL

� Deployed in broken form

� Guardian of e-commerce

� World’s most successful crypto

protocol